ABE in a DFS Environment

Hi all,

I am having a problem in ABE (Access-based Enumeration) in a DFS
(Distributed Files System) environment.

Hong Kong server: SBS 2003 SP1
China Server: Windows Server 2003 Standard SP1

These two servers connected together by VPN in same domain but with
different subnet (192.168.0.X and 192.168.1.X). Both servers are installed
with ABE (by using ABEUI utility).

Both servers have their own shared folder and they also host their own DFS
root. Then, I added some links to the DFS of Win2K3 Standard. The target are
some shared folders in SBS 2003. It works fine. However, it does not work
when I made the same procedure to the SBS 2003, meaning, I add link to the
DFS of SBS 2003 while the target of the link is Win2K3. The target folder
does not show up in Windows Explorer unless I turn off the ABE.

It seems to me that the ACL on the link does not allow me to access the
target even though I did set full control in the target folder (both in
"Share" and "Security").

I tried to use Cacls utility to verify the ACL. But the link is exactly the
same as the target ! (I even manually set the link and target ACL. But no
luck.)

Is there any problem in the AD? How can I fix it? Any help would be highly
appreciated.


Billy

 

Hello Billy,

Thank you for posting to the SBS Newsgroup.

I am sorry for the delayed response due to weekend. Please understand that
the newsgroups are staffed weekdays by Microsoft Support professionals to
answer your systems and applications questions. Your understanding is
greatly appreciated!

I am sorry that did not reply you in time due to high work volume today.

I understand that you installed ABE on both SBS 2K3 Server and Windows
Server 2003, and you cannot see any shared folders on Windows Server 2003
from SBS 2K3 Server unless turned off ABE. If I have misunderstood your
concern, please let me know.

Due to lack of information, I need your help to gather following
information:

1. Just double confirm, did you access the shared folder by \\domain\share?

2. You mentioned "they also host their own DFS root", which root type did
you choose, "stand alone root" or "Domain root"?

3. You mentioned "I add link to the DFS of SBS 2003", I need to know how
you add link to DFS. Do you mean in the DFS Management, right click the
root target you created and select New Link?

4. For your additional information:

If the ACL on the DFS link is not set to match the ACL on the target then
the following situations may arise:

a. If the ACL on the link is more restrictive than the ACL on the target,
then while enumeration, the link will not be displayed. However, if the
user knows the name of the link through some other means, then they would
be able to browse to that path and see the contents of the target.

b. If the ACL on the link is less restrictive than the ACL on the target,
then while enumeration, the link will be displayed but if the user browses
to the link then they will see an "access Denied" message.

Please take your time to gather the information, and I am looking forward
to hearing from you!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

 

Hi Brandy Nee,

Thank you for your reply.

1) Yes, I shared the folder as \\domain\share.

2) Domain root.

3) Yes, right click the root in the DFS management, and then add new link.

4) Yes, I did know the information in the Microsoft knowledge base website.
That is why use the cacls to manually set the ACL.


Anxiously waiting for your reply.


Billy

************************************************************************************

 

Hello Billy,

Thank you for posting back!

Due to complicated of the issue, I am still doing research on your issue
now. Once I have any results, I will reply you ASAP.

Thanks a lot for your time and understanding!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

 

Hello Billy,

Sorry to keep you waiting.

I have performed a lot of research, and I found I need your help to gather
some information for further troubleshooting. Could you please help?

a. Please insert Windows 2K3 Server CD to install support tools from
SUPPORT\TOOLS folder.

b. On the SBS Server, open a command window, type following command:
Dfsutil /pktinfo >c:\pktinfo.txt
Dfsutil /spcinfo >c:\spcinfo.txt

then we can know DFS entry and which server is the Active Server.

By the way, besides SBS Server, is there any other DCs in domain?

For your reference:

How to implement Windows Server 2003 Access-based Enumeration in a DFS
environment
http://support.microsoft.com/default.aspx?scid=kb;en-us;907458

I greatly appreciate your time and looking forward to your reply!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

 

Hello Billy,

Just a follow up. Please copy and paste the full content in c:\pktinfo.txt
and c:\spcinfo.txt to the Newsgroup.

Thanks a lot for your time!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

 

Hi, Brandy Nee,

Sorry for late reply. Our company finally decided to map the different
shared folders as different drives.

Thank you very much for your help. But for now, this case is closed.

Billy

***********************************************

 

Hello Billy,

Merry Christmas and Happy New Year!

Thanks a lot for posting back and keeping us updated!

I am very sorry to keep you waiting due to complicated of the issue. If you
need any assistance regarding SBS Server in the future, please feel free to
post back. I am glad to be working with you again!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

<X$>